On Mon, 2007-06-25 at 13:08 -0400, jamal wrote: > > Why do you think that would be hard? It'd basically just mean replacing > > the netlink_capable(sock, NL_NONROOT_RECV) calls with a call that > > actually tests depending on the group(s) it wants. > > I think it could be done. You will need to have root maybe initially set > such permissions etc - but it may be overkill.
I think we pretty much know in the kernel whether we want to require CAP_NET_ADMIN or not, let's punt the rest to userspace. > > Yeah, sounds reasonable, you could ask the controller for which groups > > are attached to a family and then get the IDs for those groups by name. > > Yes, we would need a newer api to do it right. But it could be done if > you register for multi groups. I've just replied somewhere else in this thread with a patch, I haven't actually tested that patch yet though. Once the generic netlink multicast is figured out we can start attacking the permissions issue. johannes
signature.asc
Description: This is a digitally signed message part